In an effort to reflect developments in the marketplace, the Federal Trade Commission (FTC) announced revised compliance guidelines for the Children’s Online Privacy Protection Act (COPPA) and the agency’s COPPA Rule.
The updated “Six-Step Compliance Plan for Your Business” includes new business models, new products and new methods for obtaining parental consent. The agency’s guidance begins with step one: determining whether the company is a website that collects personal information from children under the age of 13.
To do this, businesses should consider the definition of a “website or online service,” what it means to be “directed” to children under 13 (a calculus involving a variety of factors, from the subject matter of the site or service to the use of animated characters), what types of data are considered “personal information” under COPPA, and what it means to “collect” data.
The “collection” definition reflects the evolution of technology and incorporates the new ways information is gathered, such as voice-activated devices. Businesses now “collect” data by requesting, prompting or encouraging the submission of information, even if it’s optional, the FTC noted.
In addition, the agency listed two other forms of collection: the passive tracking of a child online and information that is made publicly available (in an open chat, for example), unless the business takes reasonable measures to delete all or virtually all personal information before postings are made public and deletes all information from the records.
As for new products covered by the statute, the FTC reminded marketers that it defines the term “website or online service” broadly, to include mobile apps that send or receive information online (including social networking apps or apps that deliver behaviorally targeted ads), Internet-enabled gaming platforms, plug-ins, advertising networks, Internet-enabled location-based services, voice over Internet protocol services, and connected toys or other Internet of Things devices.
Step three requires businesses to notify parents directly about information practices before collecting personal information from their children (and to send an updated direct notice if a material change is made). For the next step, businesses must obtain verifiable consent from parents before collecting personal information from their children.
This step addresses two facial recognition and knowledge-based authentication questions for the first time. To use facial recognition technology, a business must verify the authenticity of a driver’s license photo or other photo ID submitted by the parent by comparing that photo to a second photo submitted by the parent. As for the questions, parents must answer a series of knowledge-based inquiries “that would be difficult for someone other than the parent to answer,” the FTC said.
In step five, businesses are required to honor parents’ ongoing rights with respect to personal information collected from their kids, and step six mandates the implementation of reasonable procedures to protect the security of children’s personal information.
The guidance also features a chart that sets forth the limited exceptions to the verifiable parental consent requirement.
To read the FTC’s guidance, click here.
Why it matters: Even though the agency did not establish new substantive requirements, advertisers should review the updated guidance to ensure they comply with the statute and the FTC’s COPPA Rule.